Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/12/2024, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
e9bd4c8fb1cd2b62716375fe9088eb81_JaffaCakes118.dll
Resource
win7-20241023-en
General
-
Target
e9bd4c8fb1cd2b62716375fe9088eb81_JaffaCakes118.dll
-
Size
74KB
-
MD5
e9bd4c8fb1cd2b62716375fe9088eb81
-
SHA1
54e408d6c2b38318e00ab8f43dcb5f27a9d1f463
-
SHA256
e0c42e1ddf6c7671c260d9a4e764a17d0b07845d9d2e7d15717d7aa9040ca553
-
SHA512
8cc1316a18d211f9b52dbc9f3812e966ccb4462a4b6ace01f7d5ddbf5c6081a57a917f80f7e8082e764293254d403770f0eaff10f0e6015deb16b2984807ff20
-
SSDEEP
1536:jc0oQJlEPEcbpnAr6+vpVxu7l16n5OpoUR2/PCfFlsehgoVr0GHSW:jfJrEP1irBHxuba5OpoUIPuFSQR0GyW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57ac4d.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac4d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac4d.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" e57ac4d.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 3516 e57ac4d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57ac4d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57ac4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57ac4d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac4d.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e57ac4d.exe File opened (read-only) \??\K: e57ac4d.exe File opened (read-only) \??\P: e57ac4d.exe File opened (read-only) \??\S: e57ac4d.exe File opened (read-only) \??\T: e57ac4d.exe File opened (read-only) \??\W: e57ac4d.exe File opened (read-only) \??\Z: e57ac4d.exe File opened (read-only) \??\L: e57ac4d.exe File opened (read-only) \??\M: e57ac4d.exe File opened (read-only) \??\N: e57ac4d.exe File opened (read-only) \??\O: e57ac4d.exe File opened (read-only) \??\R: e57ac4d.exe File opened (read-only) \??\X: e57ac4d.exe File opened (read-only) \??\G: e57ac4d.exe File opened (read-only) \??\Q: e57ac4d.exe File opened (read-only) \??\Y: e57ac4d.exe File opened (read-only) \??\E: e57ac4d.exe File opened (read-only) \??\H: e57ac4d.exe File opened (read-only) \??\J: e57ac4d.exe File opened (read-only) \??\U: e57ac4d.exe File opened (read-only) \??\V: e57ac4d.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf e57ac4d.exe File opened for modification F:\autorun.inf e57ac4d.exe -
resource yara_rule behavioral2/memory/3516-10-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-19-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-13-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-12-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-11-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-14-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-24-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-23-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-22-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-25-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-26-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-27-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-28-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-29-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-31-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-32-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-33-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-35-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-37-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-41-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-42-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-46-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-48-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-50-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-52-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-53-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-54-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-55-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-59-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-60-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-70-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-71-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-72-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-74-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-75-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-76-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-79-0x0000000000810000-0x000000000189E000-memory.dmp upx behavioral2/memory/3516-80-0x0000000000810000-0x000000000189E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe e57ac4d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe e57ac4d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe e57ac4d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe e57ac4d.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe e57ac4d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe e57ac4d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe e57ac4d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe e57ac4d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe e57ac4d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe e57ac4d.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe e57ac4d.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI rundll32.exe File opened for modification C:\Windows\SYSTEM.INI e57ac4d.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57ac4d.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe 3516 e57ac4d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe Token: SeDebugPrivilege 3516 e57ac4d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 3720 1608 rundll32.exe 83 PID 1608 wrote to memory of 3720 1608 rundll32.exe 83 PID 1608 wrote to memory of 3720 1608 rundll32.exe 83 PID 3720 wrote to memory of 3516 3720 rundll32.exe 84 PID 3720 wrote to memory of 3516 3720 rundll32.exe 84 PID 3720 wrote to memory of 3516 3720 rundll32.exe 84 PID 3516 wrote to memory of 784 3516 e57ac4d.exe 8 PID 3516 wrote to memory of 792 3516 e57ac4d.exe 9 PID 3516 wrote to memory of 340 3516 e57ac4d.exe 13 PID 3516 wrote to memory of 2924 3516 e57ac4d.exe 50 PID 3516 wrote to memory of 2960 3516 e57ac4d.exe 51 PID 3516 wrote to memory of 3044 3516 e57ac4d.exe 52 PID 3516 wrote to memory of 3488 3516 e57ac4d.exe 56 PID 3516 wrote to memory of 3624 3516 e57ac4d.exe 57 PID 3516 wrote to memory of 3812 3516 e57ac4d.exe 58 PID 3516 wrote to memory of 3904 3516 e57ac4d.exe 59 PID 3516 wrote to memory of 3968 3516 e57ac4d.exe 60 PID 3516 wrote to memory of 4044 3516 e57ac4d.exe 61 PID 3516 wrote to memory of 4156 3516 e57ac4d.exe 62 PID 3516 wrote to memory of 2364 3516 e57ac4d.exe 74 PID 3516 wrote to memory of 3276 3516 e57ac4d.exe 76 PID 3516 wrote to memory of 3224 3516 e57ac4d.exe 81 PID 3516 wrote to memory of 1608 3516 e57ac4d.exe 82 PID 3516 wrote to memory of 3720 3516 e57ac4d.exe 83 PID 3516 wrote to memory of 3720 3516 e57ac4d.exe 83 PID 3516 wrote to memory of 784 3516 e57ac4d.exe 8 PID 3516 wrote to memory of 792 3516 e57ac4d.exe 9 PID 3516 wrote to memory of 340 3516 e57ac4d.exe 13 PID 3516 wrote to memory of 2924 3516 e57ac4d.exe 50 PID 3516 wrote to memory of 2960 3516 e57ac4d.exe 51 PID 3516 wrote to memory of 3044 3516 e57ac4d.exe 52 PID 3516 wrote to memory of 3488 3516 e57ac4d.exe 56 PID 3516 wrote to memory of 3624 3516 e57ac4d.exe 57 PID 3516 wrote to memory of 3812 3516 e57ac4d.exe 58 PID 3516 wrote to memory of 3904 3516 e57ac4d.exe 59 PID 3516 wrote to memory of 3968 3516 e57ac4d.exe 60 PID 3516 wrote to memory of 4044 3516 e57ac4d.exe 61 PID 3516 wrote to memory of 4156 3516 e57ac4d.exe 62 PID 3516 wrote to memory of 2364 3516 e57ac4d.exe 74 PID 3516 wrote to memory of 3276 3516 e57ac4d.exe 76 PID 3516 wrote to memory of 1608 3516 e57ac4d.exe 82 PID 3516 wrote to memory of 3720 3516 e57ac4d.exe 83 PID 3516 wrote to memory of 3720 3516 e57ac4d.exe 83 PID 3516 wrote to memory of 784 3516 e57ac4d.exe 8 PID 3516 wrote to memory of 792 3516 e57ac4d.exe 9 PID 3516 wrote to memory of 340 3516 e57ac4d.exe 13 PID 3516 wrote to memory of 2924 3516 e57ac4d.exe 50 PID 3516 wrote to memory of 2960 3516 e57ac4d.exe 51 PID 3516 wrote to memory of 3044 3516 e57ac4d.exe 52 PID 3516 wrote to memory of 3488 3516 e57ac4d.exe 56 PID 3516 wrote to memory of 3624 3516 e57ac4d.exe 57 PID 3516 wrote to memory of 3812 3516 e57ac4d.exe 58 PID 3516 wrote to memory of 3904 3516 e57ac4d.exe 59 PID 3516 wrote to memory of 3968 3516 e57ac4d.exe 60 PID 3516 wrote to memory of 4044 3516 e57ac4d.exe 61 PID 3516 wrote to memory of 4156 3516 e57ac4d.exe 62 PID 3516 wrote to memory of 2364 3516 e57ac4d.exe 74 PID 3516 wrote to memory of 3276 3516 e57ac4d.exe 76 PID 3516 wrote to memory of 1608 3516 e57ac4d.exe 82 PID 3516 wrote to memory of 3720 3516 e57ac4d.exe 83 PID 3516 wrote to memory of 3720 3516 e57ac4d.exe 83 PID 3516 wrote to memory of 784 3516 e57ac4d.exe 8 PID 3516 wrote to memory of 792 3516 e57ac4d.exe 9 PID 3516 wrote to memory of 340 3516 e57ac4d.exe 13 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57ac4d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:340
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2960
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3044
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3488
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9bd4c8fb1cd2b62716375fe9088eb81_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9bd4c8fb1cd2b62716375fe9088eb81_JaffaCakes118.dll,#13⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\e57ac4d.exeC:\Users\Admin\AppData\Local\Temp\e57ac4d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3516
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3812
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3904
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3968
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4156
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3276
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3224
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5e52feaaced158e387af2c3557044ddea
SHA1da3ab811aba1f950e4d135a5372166cbec55378b
SHA2564dccbed4aaa3056131c23b7c4a83d46dbfe0602e8bfe42fc003f2a59a12a75dd
SHA512bccbd21f77dcf44be6bea2365b168a6c09361a365f30811144443d7ac4e5734e6bd07d8fb562493a47e758a29786815eee8d1cf3db2c8f3c9ed9371c8076c872
-
Filesize
277B
MD564e06038eed5f68454d8df78c0811e81
SHA1167fc5e3c6f6b2efcdb59e975b9d311c19a200d1
SHA2566d75e455fb50001209cbcde31f6834a7c9c5f2888b82219690b7a9c9ca00d233
SHA5126c4251660ee41c4e1de561852253a7a316bd0ef55a27a792b8d8492289b1c6940605c5bea7059df1b45c1d036ac222562a933cba2d0db839a8d3bea924256df2
-
Filesize
100KB
MD5553dc4ebdc754f7c94609c1c7121ae61
SHA150bad9ded1361319e507a385d78f1cb8a2bf69d5
SHA25693fed783bd381d588a0ae3be0815f906cd9d4e20b7156dd1f80c7ead9a94777e
SHA5123ba75aa4cbaaffbd9adb0fa7ab362277ee6e515ed2ed37af81944c2da5262bb8d6427c69a337db8115e8f0c915f9c9124e1369add9e12378625f09fabbaf8dd1